loader/linux: Ensure the newc pathname is NULL-terminated (#3082)

Per "man 5 cpio", the namesize in the cpio header includes the trailing
NUL byte of the pathname and the pathname is followed by NUL bytes, but
the current implementation ignores the trailing NUL byte when making
the newc header. Although make_header() tries to pad the pathname string,
the padding won't happen when strlen(name) + sizeof(struct newc_head)
is a multiple of 4, and the non-NULL-terminated pathname may lead to
unexpected results.

Assume that a file is created with 'echo -n aaaa > /boot/test12' and
loaded by grub2:

    linux /boot/vmlinuz
    initrd newc:test12:/boot/test12 /boot/initrd

The initrd command eventually invoked grub_initrd_load() and sent
't''e''s''t''1''2' to make_header() to generate the header:

00000070  30 37 30 37 30 31 33 30  31 43 41 30 44 45 30 30  |070701301CA0DE00|
00000080  30 30 38 31 41 34 30 30  30 30 30 33 45 38 30 30  |0081A4000003E800|
00000090  30 30 30 30 36 34 30 30  30 30 30 30 30 31 36 33  |0000640000000163|
000000a0  37 36 45 34 35 32 30 30  30 30 30 30 30 34 30 30  |76E4520000000400|
000000b0  30 30 30 30 30 38 30 30  30 30 30 30 31 33 30 30  |0000080000001300|
000000c0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
000000d0  30 30 30 30 30 36 30 30  30 30 30 30 30 30 74 65  |00000600000000te|
                                                                  ^namesize
000000e0  73 74 31 32 61 61 61 61  30 37 30 37 30 31 30 30  |st12aaaa07070100|
                   ^^ end of the pathname

Since strlen("test12") + sizeof(struct newc_head) is 116 = 29 * 4,
make_header() didn't pad the pathname, and the file content followed
"test12" immediately. This violates the cpio format and may trigger such
error during linux boot:

    Initramfs unpacking failed: ZSTD-compressed data is trunc

To avoid the potential problems, this commit counts the trailing NUL byte
in when calling make_header() and adjusts the initrd size accordingly.

Now the header becomes

00000070  30 37 30 37 30 31 33 30  31 43 41 30 44 45 30 30  |070701301CA0DE00|
00000080  30 30 38 31 41 34 30 30  30 30 30 33 45 38 30 30  |0081A4000003E800|
00000090  30 30 30 30 36 34 30 30  30 30 30 30 30 31 36 33  |0000640000000163|
000000a0  37 36 45 34 35 32 30 30  30 30 30 30 30 34 30 30  |76E4520000000400|
000000b0  30 30 30 30 30 38 30 30  30 30 30 30 31 33 30 30  |0000080000001300|
000000c0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
000000d0  30 30 30 30 30 37 30 30  30 30 30 30 30 30 74 65  |00000700000000te|
                                                                  ^namesize
000000e0  73 74 31 32 00 00 00 00  61 61 61 61 30 37 30 37  |st12....aaaa0707|
                      ^^ end of the pathname

Besides the trailing NUL byte, make_header() pads 3 more NUL bytes, and
the user can safely read the pathname without a further check.

To conform to the cpio format, the headers for "TRAILER!!!" are also
adjusted to include the trailing NUL byte, not ignore it.


Reviewed-by: Daniel Kiper <[email protected]>

Signed-off-by: Gary Lin <[email protected]>
Co-authored-by: Gary Lin <[email protected]>

Author: jjm2473

GRUB2/MOD_SRC/grub-2.04/grub-core/loader/linux.c

@@ -128,11 +128,22 @@ insert_dir (const char *name, struct dir **root,
 	  n->name = grub_strndup (cb, ce - cb);
 	  if (ptr)
 	    {
+	      /*
+	       * Create the substring with the trailing NUL byte
+	       * to be included in the cpio header.
+	       */
+	      char *tmp_name = grub_strndup (name, ce - name);
+	      if (!tmp_name) {
+		grub_free (n->name);
+		grub_free (n);
+		return grub_errno;
+	      }
 	      grub_dprintf ("linux", "Creating directory %s, %s\n", name, ce);
-	      ptr = make_header (ptr, name, ce - name,
+	      ptr = make_header (ptr, tmp_name, ce - name + 1,
 				 040777, 0);
+	      grub_free (tmp_name);
 	    }
-	  size += ALIGN_UP ((ce - (char *) name)
+	  size += ALIGN_UP ((ce - (char *) name + 1)
 			    + sizeof (struct newc_head), 4);
 	  *head = n;
 	  cur = n;
@@ -183,7 +194,7 @@ grub_initrd_init (int argc, char *argv[],
 		}
 	      initrd_ctx->size
 		+= ALIGN_UP (sizeof (struct newc_head)
-			    + grub_strlen (initrd_ctx->components[i].newc_name),
+			    + grub_strlen (initrd_ctx->components[i].newc_name) + 1,
 			     4);
 	      initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name,
 					      &root, 0);
@@ -194,7 +205,7 @@ grub_initrd_init (int argc, char *argv[],
       else if (newc)
 	{
 	  initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
-					+ sizeof ("TRAILER!!!") - 1, 4);
+					+ sizeof ("TRAILER!!!"), 4);
 	  free_dir (root);
 	  root = 0;
 	  newc = 0;
@@ -217,7 +228,7 @@ grub_initrd_init (int argc, char *argv[],
     {
       initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
       initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
-				    + sizeof ("TRAILER!!!") - 1, 4);
+				    + sizeof ("TRAILER!!!"), 4);
       free_dir (root);
       root = 0;
     }
@@ -269,14 +280,14 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
 	  ptr += insert_dir (initrd_ctx->components[i].newc_name,
 			     &root, ptr);
 	  ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
-			     grub_strlen (initrd_ctx->components[i].newc_name),
+			     grub_strlen (initrd_ctx->components[i].newc_name) + 1,
 			     0100777,
 			     initrd_ctx->components[i].size);
 	  newc = 1;
 	}
       else if (newc)
 	{
-	  ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1,
+	  ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!"),
 			     0, 0);
 	  free_dir (root);
 	  root = 0;
@@ -308,7 +319,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
     {
       grub_memset (ptr, 0, ALIGN_UP_OVERHEAD (cursize, 4));
       ptr += ALIGN_UP_OVERHEAD (cursize, 4);
-      ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, 0, 0);
+      ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!"), 0, 0);
     }
   free_dir (root);
   root = 0;